Combine foundational cybersecurity skills with healthcare privacy.
If you manage a team that works in the healthcare industry and that interacts with, oversees, or manages protected health information (PHI) on a daily basis, the HCISPP certification should be on your workforce roadmap. HCISPP stands for HealthCare Information Security and Privacy Practitioners with security and privacy being the two keywords of importance when discussing this certification. Earning the HCISPP indicates dedication to the protection of patient health information that directly benefits both you, as the employer, and your team members, as the certification holders.
Why is now the time for the HCISPP?
The HCISPP certification is relatively new (released in 2013). The certification was, no doubt, born from a need to educate and legitimize professionals in an industry that has since become the largest in the United States economy and one of its most regulated. It was built to satisfy a pragmatic gap in the market.
The HCISPP’s popularity and potential is beginning to take shape now, eight odd years later, as evident by the growing number of new certification earners and increased job postings that list the HCISPP as a required or recommended certification. The reason for that is also blunt: cyber attacks. The increased volume and impact of ransomware attacks in particular over the last several years (including WannaCry in 2017 and Ryuk in 2020 to present) has caused an increased urgency in safeguarding patient information and securing healthcare endpoints. According to recent research from Check Point Software, ransomware attacks in healthcare have increased sharply by 45% since November 2020. There is real insurance for organizations looking to have more cyber-literate staff on hand to contend with these very real threats.
Why is the HCISPP unique?
In contrast to other great certifications from (ISC)2, including the popular CISSP certification, the HCISPP is quite a different animal. While the CISSP is built strictly for cybersecurity personnel of all industries and a significant (five or more years) level of experience, the HCISPP was designed specifically for those working in the healthcare industry with just two or more years of experience and does not limit its audience to cybersecurity personnel. While this could certainly be considered a cybersecurity certification writ large, it is moreso a data privacy certification with a cybersecurity lens.
Who is the HCISPP For?
The audience for the HCISPP is so varied, in fact, that it spans departments perhaps more than it spans roles. Certainly teams working within healthcare cybersecurity (Security Analysts, Information Security Managers) are prime for the certification. In addition to those groups, cyber-enabled departments like health IT (Network Administrators, IT Manager), risk and compliance (Compliance Officers, Risk Analysts, Compliance Auditors, Health Information Managers), to legal teams (Privacy Officers, Privacy and Security Consultants) can and do all benefit from the HCISPP. The digital transformation of the healthcare space has increased the need for foundational cybersecurity knowledge and the ability to work within the complex regulatory environment of this industry.
What topics or knowledge areas are covered in the HCISPP?
Like other cybersecurity related certifications, the coverage areas for the HCISPP are broken up into categories called domains. This certification covers seven domains (effective September 2019) including:
- Domain 1 (12%) – Healthcare Industry
- Domain 2 (5%) – Information Governance in Healthcare
- Domain 3 (8%) – Information Technologies in Healthcare
- Domain 4 (15%) – Regulatory and Standards Environment
- Domain 5 (25%) – Privacy and Security in Healthcare
- Domain 6 (20%) – Risk Management and Risk Assessment
- Domain 7 (15%) – Third-Party Risk Management
Looking at the domain titles alone, it is easy to understand how this information is valuable to a variety of professionals working in the space. The majority of data transmitted within the healthcare industry as part of over two decades of digital transformation efforts would be valuable in the hands of threat actors and is considered highly sensitive. The 25% weight of Domain 5 supports the notion again that this certification is built around patient privacy. You’re not going to see the highly technical content here that you’d see even in entry-level to intermediate certifications like the Security+ from CompTIA or the Certified Ethical Hacker (CEH) certification from EC-Council. However, domains 2, 6, and 7 do offer a nod to more managerial cybersecurity certifications including the desirable CISM from ISACA.
Is it difficult to earn the HCISPP?
The million dollar question had to come sooner or later. Let’s get serious. The HCISPP covers some serious ground and your team will need to diligently prepare to pass the exam. Given the less technical nature of the covered content as detailed above, it is more approachable than say the aforementioned CISSP. It shouldn’t send shivers down the spines of our team members, but it should command their respect.
The exam itself is up to three hours in length and covers 125 questions as a computer based test (CBT). Like other (ISC)2 certifications, a passing score is any that registers over 700 on a 1000 point scale. Your team members can sit for the exam at any Pearson VUE test center and there is some evidence to suggest that remote proctoring might be made available in the future.
How does employing HCISPP certification holders benefit my organization?
The healthcare industry is playing catch up in a race it is destined to lose. Despite being the largest industry in the United States, it is not the country’s cybersecurity leader. Other industries, like big tech and financial services, have deep pockets and can invest heavily in cybersecurity technology and talent–and they do. Federal agencies have access to great sums to make similar investments and can lure talented cybersecurity professionals with moving missions and well-designed career pathways. The healthcare industry can’t do those things which often leaves healthcare organizations with growing talent gaps, increasing vulnerabilities, and stagnant budgets to address these challenges. So what can be done?
Healthcare organizations, including hospital systems, health insurers, medical device manufacturers, and a dozen other segments need to use a different playbook. They need to look at the talented individuals that they already employ and see the opportunity in front of them. By investing in training for the cyber-enabled roles within your organization, you have the potential to efficiently and effectively upskill your teams to better serve patients directly or indirectly. The HCISPP is reflective of this initiative, increases its legitimacy and visibility, and signals to your clients that you are an organization that takes information security and privacy seriously.
Advance your team.
You and your organization have a critical mission. N2K’s HCISPP training can ensure your IT, security, and cyber-enabled personnel have the fundamental understanding of crucial cybersecurity concepts, and their implications in protecting and securing patient health information, that are essential to defending against today’s greatest cyber threats. With live online or on-demand training options, N2K works with you to accommodate the goals and needs of your organization.